It’s 8 a.m., and you just learned that a material cyber-incident occurred in your organization. You fire up your Incident Response Plan. You engage outside counsel, and outside counsel engages a forensic firm. Your company, your outside counsel, and your forensic firm all sign an agreement that the forensic firm will work at the direction of outside counsel. You feel confident that your investigation of the incident and the accompanying forensic report labeled “prepared at the direction of counsel” is protected by privilege. You may want to think again.

Dealing with a cyber-incident has always been a stress-inducing process that involves careful planning and organization. However, a recent decision in the United States District Court for the Eastern District of Virginia just made things more complicated — placing companies who fail to understand its implications in danger of substantial litigation risk.

Background

Last year, a large financial institution suffered a data incident whereby an unauthorized person gained access to certain types of customer personal information according to a class-action complaint filed shortly after the incident. The financial institution, attempting to be prepared for this type of attack, had entered into a retainer agreement with a cyber-forensic firm prior to the data incident’s occurrence. The retainer was designated as a “business critical” expense. After discovery of the incident the financial institution hired outside counsel to provide legal advice in connection with the data incident. An agreement was entered into by outside counsel, the financial institution, and the cyber-forensic firm to engage the cyber-forensic firm to provide work at the direction of outside counsel. An addendum to the agreement also engaged the cyber-forensic firm to perform post-incident penetration testing.

The cyber-forensic firm performed the investigation and prepared a report describing the factors and technical details of the attack. The report, which was originally provided to outside counsel and internal legal, was also shared with the financial institution’s board of directors, regulators, and an accounting firm.

Shortly after the incident was publicly disclosed, class action lawsuits were filed. As part of a discovery dispute in the lawsuits, the plaintiffs filed a motion to compel the production of the cyber-forensic report. The court ordered the financial institution to produce the report, determining that the report was not prepared in a way that was substantially different than if there was no potential for litigation. In other words, routine investigative reports are not, in and of themselves, privileged even if created at the direction of counsel.

Be Prepared, but Cautious

As privacy professionals, we often advise companies to be prepared for a cyber-event. Yet, it was preparation that ultimately led the court to conclude that privilege did not exist in this case. Specifically, the defendant had a long-standing relationship with the cyber-forensic firm to perform similar services to the work that went into preparing the forensic report at issue. It is also important to note that the court zeroed in on the fact that the retainer with the forensic firm was designated as a “business” expense versus a “legal” expense at the time it was paid.

Although different jurisdictions define what constitutes privileged work product with slight nuances, the doctrine’s primary tenet is fairly universal: For cyber-reports to be protected, there must be indicia that they were created “because of the prospect of litigation.” Here, the fact that there was an existing agreement at the time of the data incident was a key factor in the court’s determination that the work would have been performed in substantially the same form even if there was no prospect of litigation. While this notion of the work product doctrine only applying to material prepared in anticipation of litigation is something counsel is very familiar with, this case serves as a stark reminder as to how narrowly this protection can be construed. The court explained that “[m]aterials prepared in the ordinary course of business or pursuant to regulatory requirements . . . are not documents prepared in anticipation of litigation” and “[i] In order to be entitled to protection, a document must be prepared ‘because of’ the prospect of litigation and the court must determine ‘the driving force behind the preparation of each requested document’ in resolving a work product immunity question.”

Outside Counsel Must Direct the Scope of the Cyber-Work

The court’s finding should send a chill through organizations that rely solely on the engagement of forensic investigators through outside counsel to protect privilege. As the court’s ruling demonstrates, the burden to demonstrate the applicability of privilege and work product in a cyber-incident is more complicated.

The mere act of hiring outside counsel to retain cyber-consultants does not, in and of itself, deputize every action as privileged, as demonstrated by cases cited in the court’s opinion. Even if a company has used a cyber-consultant in the past, it is imperative that the nature of the work that is envisioned to be performed by a cyber-investigator or forensic firm must change when outside counsel is retained. In other words, the work performed must be for a legal purpose in anticipation of litigation, not merely a business or regulatory purpose. Further, outside counsel should direct the scope of the cyber-work to ensure that the investigation or forensic analysis is relevant to the defense of litigation. Defining scope of work to differentiate preparation of reports in anticipation of litigation from other work will be imperative to maintain the protection.

Why Does This Matter?

Given this latest legal development, companies should treat the investigation of a cyber incident as the first step in defending against potential litigation. This means utilizing outside counsel to direct the scope of the investigation with an eye towards later after defending claims relating to the data incident. This has never been more important since, under statutes such as the California Consumer Protection Act (CCPA), individuals now have an explicit private right of action for data breaches. As such, there is a potential for any data breach involving a California resident, in and of itself, to serve as the basis for litigation. With this in mind, companies should not only engage outside counsel as soon as there is indication of a security-incident, but ensure that they have hired competent counsel who has experience with data breaches and can effectively direct the scope of the cyber-work in a way that helps mitigate the risk of a court later determining that related cyber-reports are not protected by privilege.

Among the most significant aspects of the CARES Act is the $660 billion small business forgivable loan program known as the Paycheck Protection Program (PPP), and it was perhaps inevitable that the administration of the program would be followed by a wave of related litigation. Already, the PPP application process has generated lawsuits over the way some lenders interposed application conditions or allegedly prioritized certain borrower applicants over others.

Future lender liability litigation will more likely arise from failure or denial of loan forgiveness requests by borrowers. In these cases, borrowers may rely on state law claims such as negligence, fraud, breach of fiduciary duty, and unfair or deceptive practices as a basis for liability. Borrowers may claim consequential damages for the collapse of their business that far exceed the loan amount. Also, some plaintiffs may seek to frame False Claims Act (FCA) enforcement actions against lenders and borrowers related to the borrowers’ forgiveness eligibility certifications and use of the PPP funds. The FCA’s treble damage provisions will make it a particularly tempting option for asserting PPP-based claims.

Lender Liability

Future litigation could focus on the “substantive” or “procedural” aspects of how PPP loans are administered by the lender, especially as it relates to loan forgiveness. As to the former, a borrower might claim the lender failed to properly inform the borrower of the eligibility requirements for forgiveness. As to the latter, a borrower might allege the lender failed to fully or timely review the forgiveness application causing the application to be denied in whole or in part.

Substantively, the most important forgiveness eligibility factor remains the borrower’s certification that the PPP loan is “necessary to support the ongoing operations” of the borrower. The SBA announced that it would review this certification for loans over $2 million to ensure the borrower qualifies for forgiveness. The SBA’s threat of audits may have contributed to the return of $435 million of PPP loans, as shown by SEC data compiled by FactSquared. The other factor for forgiveness — the borrower’s actual use of the funds — may become an issue if the borrower claims that its lender went so far as to direct the borrower about how to use those funds to ensure eligibility for forgiveness. Such claims could take the form of a state law fraud or breach of fiduciary duty claim.

Other lender liability claims may arise out of the loan forgiveness process itself. On May 22, the SBA issued morerules and clarification detailing the forgiveness process and the borrowers’ and lenders’ responsibilities related thereto. Generally, the borrower will submit a request for forgiveness along with documentation showing compliance with the PPP to the lender. The lender then has 60 days to review a complete application and determine the borrower’s eligibility for forgiveness. The lender is entitled to rely on the borrower’s representations but must complete a good faith review of the application. The lender also must work with the borrower to remedy “errors in the borrower’s calculation or material lack of substantiation in the borrower’s supporting documents.” The lender then submits its determination to the SBA for approval, and the SBA may conduct its own review of the application and loan.

It should be noted that the May 22 interim final rules do not emphasize or amplify the previously announced presumption of good faith for the borrower’s “necessity” certification on loans under $2 million.

Some lenders, prudently and out of an abundance of caution, have included acknowledgements or disclaimers with the PPP loan applications or associated loan documentation making clear to borrowers that loan forgiveness is ultimately determined by the borrower’s compliance with the SBA’s rules and is subject to the SBA’s review and approval. Even without such affirmative PPP-specific statements in the loan documentation, lenders may rely on general legal principles regarding the existence of any extra-contractual duty when confronted with various common law tort claims. Forum selection clauses, damages limitations and other lender protections may be present in the lender’s promissory note and other loan documents.

False Claims Act

Even though the PPP reduces the underwriting burden by allowing lenders to rely on representations and documents provided by borrowers, a lender could face action under the FCA if the lender knew or should have known that the information provided by a borrower is false. FCA actions can be brought directly by the government or can take the form of a whistleblower or “qui tam” lawsuit brought by a private citizen. As mentioned above, the FCA allows a prevailing litigant to obtain relief in the form of treble damages.

While the SBA’s April 2 interim rule states that the SBA “will hold harmless any lender that relies on … borrower documentations and [an] attestation from the borrower,” the SBA also requires a lender to conduct a good faith review and to comply with the lender obligations set forth in the May 22 interim rule, which specifically include Bank Secrecy Act and anti-money laundering compliance protocols. Diligent compliance with these protocols might ward off any charge that the lender blindly rubber-stamped forgiveness determinations in a way that could trigger application of the FCA.

Some Good News

Not all the news is bad in terms of PPP-related litigation. The approval of subsequent increased funding availability may well serve to limit future application-related claims. Additionally, and more significantly, at least one court has found that the CARES Act itself does not provide a private right of action to borrower applicants. And, as more PPP-related lawsuits are filed, financial institution defendants also will continue to develop defensive theories designed to defeat those claims.

* * *

These lender liability and FCA-related questions remain a moving target as federal loan administration rules and guidance evolve on a daily basis. We continue to track these issues and will publish additional blog posts in this area to address relevant new developments.

On May 22, 2020, the CFPB issued a No-Action Letter (NAL) Template to a software company utilizing an internet-based platform for submission and processing of loss mitigation applications. Mortgage servicers may use the NAL Template to apply for NALs if they wish to implement the web-based loss mitigation platform. The CFPB also issued a statement that “digitizing the loss mitigation application process has the potential to improve a process that is experiencing an increase in loss mitigation requests from consumers due to the COVID-19 pandemic.”

As discussed in a previous post, the CFPB revamped its NAL Policy in September of 2019 to expand the program and make the application process easier. In the three years prior to the revision, only one NAL had been obtained. Under the new policy, however, we have now seen three NAL Templates approved by the CFPB.

This NAL template was approved upon the application of Brace Software Inc., which offers an online platform for implementing loss mitigation processes. Mortgage servicers wishing to implement Brace’s online platform may apply for a NAL based on the template. In general, an applicant would need to certify that they intend to use the web-based platform to process loss mitigation applications, but may also continue to use other methods to process loss mitigation applications. When a borrower utilizes the online platform to apply for loss mitigation, a servicer would need to consider the loss mitigation application “received” for purposes of Regulation X, 12 CFR 1024.41(b)(2), when the borrower clicks “submit” in the online application form. If a servicer opts to use the platform and wises to receive a NAL under the template, they must also process and give effect to cease communication requests received on the platform in addition to (but not instead of) processing and giving effect to cease communication requests received in writing. Of course, if a servicer wished to expand upon the platform, to functionalities beyond loss mitigation and cease communication requests, such information would also be included in an application for a NAL based on the template.

A NAL received by a servicer from the CFPB under this template would likely include a statement that, unless terminated, the CFPB will not make supervisory findings or bring a supervisory or enforcement action against the servicer under Regulation X, 12 CFR 1024.41(b)(2); section 805(c) of the FDCPA; or under 12 U.S.C. 5531, 5536.

Although this template appears limited to the implementation of Brace’s proprietary software services, it does signal the CFPB’s willingness to issue NALs for web-based mortgage servicing interfaces. As noted in Brace’s own application, while there may not currently be similar web-based platforms “there exists a vast array of vendors who have the capability to step in quickly and design a similar process.” Thus, it is possible we may see a proliferation of online mortgage servicing technologies which receive NALs from the CFPB.

Following previous guidance issued by (and in some cases withdrawn by) the OCC, CFPB, Federal Reserve, FDIC, and NCUA, the federal financial institution regulatory agencies published a joint statement on March 26, 2020, in response to COVID-19 “to specifically encourage financial institutions to offer responsible small-dollar loans to both consumers and small businesses.” The statement is somewhat confusing given the “love/hate” history of regulators with regard to businesses in the small-dollar lending space. However, much needed new interagency lending principles for offering responsible small-dollar loans was issued on May 20, 2020 (the “Interagency Guidelines”) to clarify regulatory expectations.

Recognizing the potential for COVID-19 to adversely affect the operations and customers of financial institutions and the “important role” responsible small-dollar lending can play in helping consumers meet credit needs in times of disaster recovery or economic stress, the statement noted that “[f]ederally supervised financial institutions are well-suited to meet the credit needs of customers affected by the current COVID-19 emergency.” To that end, the agencies noted that products offered by financial institutions could potentially be modified to meet consumers’ credit needs in conformity with applicable laws and regulations.

The statement also noted that financial institutions may offer responsible small-dollar loans under current regulatory framework through various loan products, including closed-end installment loans, open-end lines of credit, or single payment loans, for example. In addition, the statement encourages financial institutions to “consider workout strategies designed to help enable the borrower to repay the principal of the loan while mitigating the need to re-borrow” for borrowers who may not be able to repay a loan as structured due to unexpected circumstances.

Importantly, the agencies recognized in the statement that responsible small-dollar loans can be beneficial to customers even in normal times, such as when unexpected expenses or temporary income short-falls arise. However, given conflicting issues with prior guidance in this space, future guidance and lending principles for what the agencies call “responsible” small-dollar loans were needed and recently delivered by the agencies.

The new Interagency Guidelines, unlike the statement, articulate principles for offering small-dollar loans in a “responsible manner to meet financial institutions customers’ short-term credit needs” through interagency guidelines to encourage supervised banks, savings associations, and credit unions to offer responsible small-dollar loans to customers for consumer and for small business purposes. The Interagency Guidelines gave insight on what regulators deem to be responsible small-dollar loan programs, which generally contain a high percentage of customers who are successful in repaying their loans, repayment terms, pricing, and safeguards that minimize “cycles of debt” such as rollovers and reborrowing, and repayment outcomes and program structures that enhance a customer’s financial capabilities. However, they also stated that financial institutions seeking to develop new small-dollar lending programs or expand existing programs should do so in a manner consistent with sound risk management principles, inclusive of appropriate policies. This may prove challenging as small-dollar loans often have high default rates and need a higher interest rate in order to be profitable, which may not be possible due to certain state law restrictions. These and other issues likely will prove challenging for the required sound risk management analysis and other bank policies.

The Interagency Guidelines further outlined the items that reasonable loan policies and sound risk management practices and controls would address. These include: (1) loan amounts and repayment terms that align with eligibility and underwriting criteria that promote fair treatment and credit access; (2) loan pricing that complies with applicable laws and reasonably relates to the lender’s risks and costs; (3) loan underwriting analysis that uses internal and/or external data sources, such as deposit account activity, to assess creditworthiness; (4) marketing and disclosures that comply with consumer protection laws and provide information in a clear, conspicuous, accurate, and customer-friendly manner; and (5) loan servicing processes that help ensure successful loan repayment and avoid continuous cycles of debt, including timely and reasonable workout strategies.

Interestingly, there was commentary in the Interagency Guidelines on using innovative technology and/or processes for customers who may not meet a financial institution’s traditional underwriting standards. This commentary further stated that such programs can be implemented in-house or through effectively managed third-party relationships. This commentary may help take some pressure off the bank partnership model in the area of small-dollar lending, quieting the critics and signaling a change that bank and fintech partnerships that offer sound and responsible innovative products to customers are here to stay.

The statement has drawn the ire of consumer advocates who believe these loans could trap people in a cycle of repeat re-borrowing at high rates. While the Interagency Guidelines certainly help clarify many issues for financial institutions and small-dollar lending, there are still some challenges and small-dollar lenders are advised to consult counsel for guidance regarding how the Interagency Guidelines will be implemented in practice.

In the very unusual period in which we find ourselves today, it seems to be common wisdom that an avalanche of commercial loan defaults is coming. As such, it is a good time to take a fresh look at the terms and provisions used in commercial workout documents, whether in a simple agreement that extends a maturity date or in a complex forbearance document that restructures the collateral arrangement and financial covenants.

One provision often used by creditors’ rights and workout attorneys is a prepetition automatic stay waiver. The automatic stay, of course, generally halts all attempts by creditors to exercise their rights and remedies, and goes into effect immediately upon a bankruptcy filing. It is therefore one of the most fundamental and powerful protections provided to a debtor. As such, if a creditor could negate a future bankruptcy automatic stay in an agreement entered into now, it would thereby avoid one of the debtor’s major protections in bankruptcy.

Unfortunately, prepetition stay waivers are sometimes not used by non-creditors’ rights and workout attorneys. This is reasonable enough, given the Bankruptcy Code’s bar on some so-called ipso facto clauses – contractual clauses that make a future bankruptcy a trigger for certain contractual events or results in favor of the non-debtor party. Non-workout practitioners often assume that any contractual provision that improves a creditor’s rights in the event of a future bankruptcy filing is unenforceable. The Bankruptcy Code, however, prohibits such clauses only in a few situations, none of which relate to the automatic stay.

And so the question arises for commercial lenders: Are automatic stay waivers enforceable in subsequent bankruptcy cases? The answer is “maybe,” and more specifically may depend upon which bankruptcy court is involved. Various courts and authors have attempted to categorize the various approaches used by courts, but this is not an easy task given the wide variety of prepetition facts and procedural settings involved. With that said, we would make the following observations about the enforceability of prepetition stay waivers.

To begin, some courts hold that prepetition automatic stay waivers are unenforceable per se, and some courts reach the opposite conclusion (that they are not unenforceable per se). Further, all courts appear to reject the proposition that such waivers are self-executing without any need for court approval.

As to specifics, numerous courts apply a multi-factor test to determine if prepetition stay waivers are enforceable. Relatedly, some courts consider them valid but only one of many factors in determining whether or not the stay should be lifted. Finally, a few courts appear to enforce prepetition stay waivers with little or no analysis.

Possibly the most important observation is that no creditor appears to have been punished or otherwise disadvantaged in attempting to enforce a prepetition automatic stay waiver in bankruptcy. As such, there is no reason not to include a prepetition automatic stay waiver in a workout or restructuring agreement. In doing so, however, the drafter should be familiar with the case law in the relevant jurisdiction. In most cases, that case law will provide additional guidance on what to include in a prepetition waiver provision, thereby improving the chances that it will be beneficial to the creditor in a later bankruptcy filing.

As financial services companies struggle to adapt to meet the unprecedented challenges imposed upon them by the COVID-19 outbreak, they also must not lose sight of other pre-existing federal mandates, such as the upcoming benchmark survey requirement imposed upon all businesses with ownership interests in foreign enterprises. The consequences of a financial service company failing to satisfy this important reporting deadline could be significant.

The Bureau of Economic Analysis (BEA) is an agency in the Department of Commerce that collects and reports statistics about the performance of the U.S. economy and the role of the U.S. in the global economy. The International Investment and Trade in Services Survey Act authorizes the BEA to collect information about foreign investment in the U.S. and U.S. investment abroad. This information is collected through periodic surveys completed by U.S. persons, including through comprehensive benchmark surveys conducted every five years. Completion of these surveys, where applicable, is mandatory, and failure to report may subject persons to civil or criminal penalties.

May 29, 2020, is the filing deadline for the BEA’s benchmark survey of U.S. investment abroad. All U.S. persons – which includes all forms of business entities, as well as individuals, estates, and trusts – who have one or more foreign affiliates must file. An affiliate is defined as an enterprise “directly or indirectly owned or controlled by a person of another country to the extent of 10 percent or more of its voting stock for an incorporated business or an equivalent interest for an unincorporated business, including a branch.” The 10% threshold may also be met in circumstances where groups exercise their interests or are deemed to exercise their interests in concert, such as members of the same family, joint ventures, and groups of officers or directors of the same enterprise.

The filing is made by the “U.S. Reporter,” which is either the U.S. person with one or more foreign affiliates or, if part of a consolidated enterprise, that U.S. person’s ultimate U.S. parent. The U.S. Reporter is required to report detailed information about its operations or, if relevant, the operations of the consolidated enterprise of which it is a part. It is also required to report detailed information about the operations of each foreign affiliate. This reporting burden is not insignificant, as the forms are lengthy and require financial performance, operational, employee, and balance sheet data, along with other business details. Applicable law provides that this sensitive information will be kept confidential.

In recognition of the COVID-19 outbreak, the BEA has published special guidance, including that filing extensions may be granted “if needed” and that respondents may provide estimates if access to actual data is unavailable or limited at this time. However, given the approaching deadline, the higher than normal contact volume, and the likely impact of the outbreak on the BEA’s own operations, one should request any accommodations as soon as possible.

On Wednesday, May 13, 2020, Fannie Mae and Freddie Mac unveiled new retention workout options that were jointly developed and “specifically designed to help borrowers impacted by a hardship related to COVID-19 return their mortgage to a current status.” The government-sponsored enterprises’ (GSEs) highly anticipated new COVID-19 payment deferral will allow servicers to defer up to 12 months of delinquent mortgage payments to the end of the loan term as a non-interest-bearing balance. Although the GSEs’ intentions behind the COVID-19 payment deferral are admirable, there are some questions about whether servicers can legally offer the deferral without violating the anti-evasion clause in Regulation X and, therefore, being exposed to risk.

As a refresher, the anti-evasion clause in Regulation X generally prohibits mortgage servicers from offering a loss mitigation option based upon an evaluation of an incomplete loss mitigation application. Instead, the CFPB’s mortgage servicing rules are designed to encourage servicers to collect complete loss mitigation applications and evaluate borrowers for all loss mitigation options that may be available. While servicers are always allowed to make blind offers of loss mitigation, they also are permitted to evaluate incomplete applications when the resulting offer constitutes either a short-term forbearance program or short-term repayment plan.

To make the new option simple and efficient for both servicers and borrowers, the GSEs both establish that servicers “must not require a complete Borrower Response Package (BRP) to evaluate the borrower for a COVID-19 payment deferral if the eligibility criteria are satisfied.” Instead, quality right party contact (QRPC) must be established with the borrower to gauge if (1) the borrower’s hardship has been resolved, (2) the borrower is able to make the contractual monthly payment going forward, and (3) the borrower is able to reinstate the mortgage loan or afford a repayment plan to cure the delinquency.

At the time of these interactions, servicers will likely already have an incomplete loss mitigation application open if the borrower previously requested a forbearance pursuant to the CARES Act or another COVID-19 related program. Even if, for whatever reason, that doesn’t apply in some circumstances and an application isn’t open, when the servicer makes contact with the borrower and begins discussing what is required to evaluate the borrower for the COVID-19 payment deferral, the conversation will inevitably constitute a loss mitigation application under Regulation X. The borrower will have to express an interest in loss mitigation and will have to provide information that the servicer will evaluate to make its decision. The servicer’s only option at that point under Regulation X will be to offer something that qualifies as a short-term forbearance or short-term repayment plan.

For purposes of the loss mitigation rules in Regulation X, a short-term forbearance is when a servicer allows a borrower to forgo making up to six months of payments, regardless of how long the borrower has to make up the missing payments. Given that borrowers will likely be coming off of forbearances when they are considered for a deferral and the deferral is designed to address already past due payments, it seems highly unlikely that a deferral would be considered a form of forbearance, which is traditionally considered to be a prospective option. Furthermore, the GSEs contemplate that servicers should be able to address up to 12 months of delinquent payments, which clearly does not fit within the short-term forbearance parameters in Regulation X that only permit servicers to forbear up to six months of payments. Therefore, the GSEs’ COVID-19 payment deferral will likely not meet the definition of a short-term forbearance program.

A short-term repayment plan, on the other hand, is when a borrower is allowed to repay up to three months of past due payments over a period lasting no more than six months. While a deferral could be considered a repayment plan because borrowers are agreeing to repay the arrearage over a significant period of time, the GSEs are allowing the COVID-19 deferral program to address up to 12 months of missed payments, which precludes the arrangement from being considered “short-term.” Additionally, under Regulation X, to be considered short-term, a repayment plan must address the arrearage within six months. Under a deferral, borrowers will repay the arrearage at maturity or loan payoff, which will almost always take place more than six months in the future. Either way you look at it, a COVID-19 payment deferral will also not meet the definition of a short-term repayment plan.

Given that the QRPC conversations will constitute loss mitigation applications and the COVID-19 payment deferral option will not fit into the parameters of a short-term forbearance or repayment plan, servicers may actually be required to collect a complete loss mitigation application before being able to evaluate the borrower for the new option – a reality contrary to the GSEs’ expectations and burdensome for servicers and borrowers. With that said, a servicer may be able to argue that, upon QRPC and once it determines the borrower is eligible for the COVID-19 deferral program, it actually has a complete loss mitigation application at that point. The argument would be that, following the conversation, the servicer has everything it needs to evaluate the borrower for all available loss mitigation options pursuant to the GSEs’ COVID-19 evaluation hierarchy. The strength of this argument is a bit unclear at this point and, nevertheless, it does not seem consistent with the GSEs’ expectations, as the GSEs make it very clear that the servicer must not collect a complete application and their form COVID-19 deferral offer notice does not contemplate that the offer is based upon a complete application (i.e., does not include any loan modification denial reasons, an appeal period, etc.).

While the CFPB previously announced that it will be lenient in its expectations when it comes to technical compliance with certain aspects of the mortgage servicing rules during the pandemic, its commitment has centered around future supervisory and enforcement activity. However, the CFPB has not indicated that it would provide any flexibility in terms of the anti-evasion clause in Regulation X. Furthermore, the loss mitigation rules in Regulation X are subject to private enforcement by individual borrowers, and the CFPB has not yet taken any steps to alleviate that risk. Therefore, servicers who follow the process laid out by the GSEs for the evaluation , and offering of, a COVID-19 payment deferral may be exposed to risk of potential future supervisory, enforcement, and litigation activity. These same risks apply – perhaps even more so – to servicers that elect to apply the GSE approach to their portfolio and private investor loans. In such cases, the servicer is even less likely to be able to point to the GSE guidance for potential cover.

It is also worth noting that proposed follow-up legislation to the CARES Act, which is titled the Health and Economic Recovery Omnibus Emergency Solutions Act (HEROES Act), contains provisions that may pave a path for the GSEs’ COVID-19 payment deferral program to work and, at least theoretically, not violate the existing restrictions in Regulation X. However, that proposed legislation is not final and there appears to be substantial disagreement in the Senate over the existing proposal. Meanwhile, servicers of GSE loans will be required by Fannie Mae and Freddie Mac to follow their guidance in the coming weeks.

Servicers of Fannie Mae and Freddie Mac loans currently will be required to evaluate borrowers for the COVID-19 payment deferral beginning on July 1, 2020. We are hopeful that additional guidance will be released before that time.

Several states have recently ramped up their regulation of the student lending industry by passing laws requiring student loan servicers to be licensed in the state in order to operate there. Many of these state licensing laws are creating conflicts for servicers in an industry already dominated by federal law. Now a U.S. District Court in Connecticut has decided in Pennsylvania Higher Education Assistance Agency v. Perez that federal law preempts portions of Connecticut’s student loan servicer licensing statute, a decision that may limit the scope of other states’ licensing laws.

In 2017, Connecticut’s licensing statute placed student loan servicer Pennsylvania Higher Education Assistance Agency (PHEAA) in an impossible situation. The Connecticut Department of Banking, pursuant to Connecticut’s student loan servicer licensing statute, demanded PHEAA’s records and information related to the federal Public Service Loan Forgiveness Program. However, the Department of Education, which contracted with PHEAA for the servicing of certain federal Direct Loans in the Public Service Loan Forgiveness Program, instructed PHEAA to not disclose any data or documentation related to the Public Service Loan Forgiveness Program. The U.S. Department of Education took the position that PHEAA was prohibited from releasing the Public Service Loan Forgiveness Program’s records under the federal Privacy Act and declined to provide the records to the Connecticut Department of Banking.

Even though PHEAA informed the Connecticut Department of Banking that it could not respond to the request due to the U.S. Department of Education’s directive, the Connecticut Department of Banking threatened administrative action and suspension of PHEAA’s state license if it failed to comply with the records request. Ultimately, neither the Connecticut Department of Banking nor the U.S. Department of Education was willing to budge from their respective positions, leaving PHEAA’s state license hanging in the balance.

PHEAA sought a declaratory judgment from the federal district court as to whether federal law preempts the portions of Connecticut’s licensing statute relied on by the Connecticut Department of Banking in making its document requests. On summary judgment, the court examined the dispute under principles of conflict preemption, ultimately finding that federal law preempted the provisions of Connecticut’s licensing statute that required PHEAA to provide documents related to its servicing of federal student loans.

The court first noted that Connecticut’s “licensing requirements for student loan servicers overlap with [the U.S. Department of] Education’s own criteria for selecting its servicing contractors,” and accordingly interfere with the U.S. Department of Education’s selection process for its own contractors. This, the court held, violated the U.S. Supreme Court’s precedent set in Leslie Miller, Inc. v. State of Ark., in which the Supreme Court struck down a state licensing statute that virtually gave the state power of review over a federal contractor determination.

The court also held that “impossibility preemption bars the portions of [the Connecticut Department of Banking’s] demands that sought documents and information protected by the Privacy Act, since ‘compliance with both federal and state regulations [wa]s a physical impossibility’ for PHEAA.” The court noted that the U.S. Department of Education has “substantial discretion” in whether to release documents under the Privacy Act and has ownership of the documents themselves. PHEAA thus had no power on its own to provide the documents to the Connecticut Department of Banking, and impossibility preemption applied.

Notably, the court did not hold that Connecticut’s general licensing requirement was preempted, but rather limited preemption application to just those portions of Connecticut’s licensing statute that covered state investigations and record-keeping requirements for federal student loan servicers. Also, the opinion appears to restrict preemption to the servicing of federal student loans rather than privately held student loans. Lastly, while the court declined to reach the issue of whether field preemption applies, the court noted that there was some authority suggesting field preemption would not be appropriate as it relates to the relationship between state licensing laws and federal law.

This decision limits the reach of Connecticut’s licensing statute because it strips some potent tools from the Connecticut Department of Banking — investigatory powers and informational demands. While the decision likely will not slow the growing trend of state licensing laws aimed at the student lending industry, it may take the teeth out of some of the provisions.

In recent years, the CFPB has sent different messages regarding its approach to regulating tribal lending. Under the bureau’s first director, Richard Cordray, the CFPB pursued an aggressive enforcement agenda that included tribal lending. After Acting Director Mulvaney took over, the CFPB’s 2018 five-year plan indicated that the CFPB had no intention of “pushing the envelope” by “trampling upon the liberties of our citizens, or interfering with sovereignty or autonomy of the states or Indian tribes.” Now, a recent decision by Director Kraninger signals a return to a more aggressive posture towards tribal lending related to enforcing federal consumer financial laws.

Background

On February 18, 2020, Director Kraninger issued an order denying the request of lending entities owned by the Habematolel Pomo of Upper Lake Indian Tribe to set aside certain CFPB civil investigative demands (CIDs). The CIDs in question were issued in October 2019 to Golden Valley Lending, Inc., Majestic Lake Financial, Inc., Mountain Summit Financial, Inc., Silver Cloud Financial, Inc., and Upper Lake Processing Services, Inc. (the “petitioners”), seeking information related to the petitioners’ alleged violation of the Consumer Financial Protection Act (CFPA) “by collecting amounts that consumers did not owe or by making false or misleading representations to consumers in the course of servicing loans and collecting debts.” The petitioners challenged the CIDs on five grounds – including sovereign immunity – which Director Kraninger rejected.

Prior to issuing the CIDs, the CFPB filed suit against all petitioners, except for Upper Lake Processing Services, Inc., in the U.S. District Court for Kansas. Like the CIDs, the CFPB alleged that the petitioners engaged in unfair, deceptive, and abusive acts prohibited by the CFPB. Additionally, the CFPB alleged violations of the Truth in Lending Act by not disclosing the annual percentage rate on their loans. In January 2018, the CFPB voluntarily dismissed the action against the petitioners without prejudice. Accordingly, it is surprising to see this second move by the CFPB of a CID against the petitioners.

Denial to Set Aside the CIDs

Director Kraninger addressed each of the five arguments raised by the petitioners in the decision rejecting the request to set aside the CIDs:

CFPB’s Lack of Authority to Investigate Tribe – According to Kraninger, the Ninth Circuit’s decision in CFPB v. Great Plains Lending “expressly rejected” all of the arguments raised by the petitioners as to the CFPB’s lack of investigative and enforcement authority. Specifically, as to sovereign immunity, the director concluded that “whether Congress has abrogated tribal immunity is irrelevant because Indian tribes do not enjoy sovereign immunity from suits brought by the federal government.”

Protective Order Issued by Tribe Regulator – In reliance on a protective order issued by the Tribe’s Tribal Consumer Financial Services Regulatory Commissions, the petitioners argued that they are instructed “to file with the Commission—rather than with the CFPB—the information responsive to the CIDs.” Rejecting this argument, Kraninger concluded that “nothing in the CFPA requires the Bureau to coordinate with any state or tribe before issuing a CID or otherwise carrying out its authority and responsibility to investigate potential violations of federal consumer financial law.” Additionally, the director noted that “nothing in the CFPA (or any other law) permits any state or tribe to countermand the Bureau’s investigative demands.”

The CIDs’ Purpose – The petitioners claimed that the CIDs lack a proper purpose because the CIDs “make an ‘end-run’ around the discovery process and the statute of limitations that would have applied” to the CFPB’s 2017 litigation. Kraninger claims that because the CFPB dismissed the 2017 action without prejudice, it is not precluded from refiling the action against the petitioners. Additionally, the director takes the position that the CFPB is permitted to request information outside the statute of limitations, “because such conduct can bear on conduct within the limitations period.”

Overbroad and Unduly Burdensome – According to Kraninger, the petitioners failed to meaningfully engage in a meet-and-confer process required under the CFPB’s rules, and even if the petitioners had preserved this argument, the petitioners relied on “conclusory” arguments as to why the CIDs were overbroad and burdensome. The director, however, did not foreclose further discussion as to scope.

Seila Law – Finally, Kraninger rejected a request for a stay based on Seila Law because “the administrative process set out in the Bureau’s statute and regulations for petitioning to modify or set aside a CID is not the proper forum for raising and adjudicating challenges to the constitutionality of the Bureau’s statute.”

Takeaway

The CFPB’s issuance and defense of the CIDs appears to signal a shift at the CFPB back towards a more aggressive enforcement approach to tribal lending. Indeed, while the pandemic crisis persists, CFPB’s enforcement activity in general has not shown signs of slowing. This is true even as the Seila Law constitutional challenge to the CFPB is pending. Tribal lending entities should be tuning up their compliance management programs for compliance with federal consumer lending laws, including audits, to ensure they are ready for federal regulatory review.

On April 24, 2020, the Texas Supreme Court upheld a lender’s right to equitable subrogation for non-compliant home equity loans, ruling that lenders who fail to cure within the statutorily mandated 60-day period may recoup funds paid to satisfy prior liens. The court’s opinion in Federal Home Loan Mortgage Corp. v. Zepeda answered a certified question from the United States Fifth Circuit Court of Appeals, and gives some relief to home equity lenders in a notoriously complicated environment.

Texas has a long history of protecting the family homestead from foreclosure by limiting the types of liens that can be placed upon homestead property, being the last state to permit home equity loans by virtue of a constitutional amendment in 1997. These loans allow homeowners to use the equity in their home as collateral to refinance a prior debt and secure additional funds at rates that are typically lower than other types of consumer loans. Home equity loans are strictly regulated by article XIV, section 50(a)(6) of the Texas Constitution, which promulgates a large and often confusing number of rules and regulations regarding loan origination that frequently leads to subsequent consumer litigation. This same section also sets out a framework by which lenders are to be notified of alleged errors and cure any noncompliance (usually by correcting the error and paying a penalty). In the event a lender fails to cure the noncompliance within 60 days of being put on notice by the borrower, it forfeits all principal and interest on the loan in an eventual foreclosure action.

This decision comes against the backdrop of two recent decisions in which the Texas Supreme Court held that no statute of limitations applied to quiet title claims stemming from noncompliant home equity loans, a striking victory for borrowers. By way of example, a properly noticed noncompliance demand letter pursuant to Section 50(a)(6) can be sent at any time after closing, even in the 29th year of a loan.

Up until recently, lenders availed themselves of the doctrine of equitable subrogation to help ease the pain of failing to cure a noncompliant loan, which was expressly blessed by the Texas Supreme Court in the LaSalle Bank National Association v. White. Per LaSalle Bank (and consistent with long-standing general Texas commercial law), a lender who discharges a valid lien on the property of another can step into the prior lienholder’s shoes and assume that lienholder’s security interest in the property, even though the lender cannot foreclose on its own lien. Thus, though a lender is not made entirely whole, it is afforded some relief. The unaddressed issue in LaSalle Bank was whether a lender had clean hands if that lender failed to respond to a borrower’s notice of non-compliance, an argument that seemed to have some support.

Thus, the stage was set for Zepeda. The case, arising in the Southern District of Texas, involved a defective acknowledgement of fair market value, and the borrower brought suit against Freddie Mac to quiet title. The borrower raised claims for both contractual and equitable subrogation. The district court found in favor of the borrower, holding that Freddie could not avail itself of contractual subrogation due to the defective loan documents. The district court also rejected any claim for equitable subrogation because Freddie had supposedly been “negligent” in failing to cure the defective loan documents after being properly noticed of its noncompliance.

On appeal, the Fifth Circuit affirmed the district court’s holding on contractual subrogation. When it turned to the issue of equitable subrogation, however, the court was unable to find any Texas Supreme Court cases directly dealing with instances of constitutional defects that were solely the fault of the lender. Therefore, the Fifth Circuit issued a certified question to the Texas Supreme Court to clarify the issue.

The Texas Supreme Court found in favor of the lender’s right to equitable subrogation, and in reaching its decision, reviewed a century-long history of decisions addressing equitable subrogation in conjunction with the development of Section 50 of the Constitution. As reasoned by the court, because Section 50(a)(6) does not expressly displace the equitable remedy, such language should not be read into the Constitution.

While the Texas Supreme Court’s opinion affords relief to home equity lenders, the pitfalls that gave rise to this issue in the first place still exist. Home equity lending is complicated and the failure to comply can have drastic consequences. Further, equitable subrogation is truly a remedy of last resort as a lender can find itself severely under-secured and many times the cost to cure can be excessive. Given that many consumers will need to tap their equity in these times of the COVID-19 pandemic and high unemployment, lenders should expect Texas home equity loans to continue to be on the forefront of the Texas financial marketplace.

About our firm

Bradley is a national law firm with a reputation for skilled legal work, exceptional client service, and impeccable integrity. Our more than 500 attorneys provide business clients around the world with a full suite of legal services in dozens of industries and practice areas. Bradley’s 10 offices are located in Alabama, Florida, Mississippi, North Carolina, Tennessee, Texas, and the District of Columbia, giving us an extensive geographic base to represent clients on a regional, national, and international basis. We frequently serve as national coordinating counsel, regional counsel, and statewide counsel for clients in various industries.